IG templates and resources
IG templates and resources
PSNC with others prepared data security and IG templates that may assist pharmacy contractors with their completion of the Data and Security Protection Toolkit (DSPTK).
Templates to assist completion of DSPTK (updated Jan 2020)
Data security and IG templates (updated January 2020)
Note that many of these below are referenced within the GDPR Workbook.
Template 1: Data and security and IG policy
Template 2: Staff confidentiality agreement
Suggested Contract Clause for Individual Staff members: “You may not during or after the termination of your employment disclose to anyone other than in the proper course of your employment or where required by law, any information of a confidential nature relating to the company or its business or customers. Breach of this clause may lead to dismissal without notice and/or legal action. Guidance on standards expected can be found in the staff code of conduct.”
Template 3: Staff confidentiality code
Template 4: Data handling procedure
Template 5: Privacy notice (wording for websites or patient information leaflets) (also alternative versions: Large-print version / A4 version.
Note: that communications materials are provided in different formats or by different routes to meet the need of patients with special or different needs. NHS 111 provide an interpreter service to support communicating with patients who do not speak English.
Note: The pharmacy asset register is likely to contain commercially sensitive information so there is no requirement for the details to be shared with the NHS. Where the pharmacy maintains information on software, hardware or services in a separate asset register for accounting, insurance or business continuity purposes, an option is to do a cross reference from the relevant sections in the information asset register to the relevant register or location that this information is stored to prevent duplicating effort.
Template 7: Physical security risk assessment
Template 8: Mobile computing guidelines
Template 9: Portable equipment / Asset control form
Template 10: Disposal of portable assets
Template 11: Incident management procedures
Template 12: Information security incident report form
Template 13: Audit sheet
Templates 14: You may use Staff signature list [all policies] for all to re-sign annually and for new joiners to sign) (one list related to staff confirming in relation to all policies) or Staff Signature List Page [for each policy separately] (multiple lists relating to staff being able to confirm in relation to each policy separately).
Template 15: Access control and password management procedure
NB: If staff do not have cards subject to the RA01 terms and conditions (i.e. EPS Release 2 cards), this requirement can be marked not relevant (NR).
Template 17: Data quality policy
Template 19: Mapping data flows: Data flow map illustration
Template 20: Confidentiality agreement for non-contracted workers visiting pharmacy. The pharmacy may have persons working for it (otherwise than under a contract of employment) e.g. locum pharmacists, or have persons visiting the pharmacy who are likely to have access to areas of the pharmacy not generally accessible by members of the public. One way to help safeguard the confidentiality of patients’ personal and sensitive personal data is by requiring the third party to agree to a confidentiality agreement. We recommend that the pharmacy retain the original signed confidentiality agreements for at least 6 years before considering disposal.
NB: PSNC originally developed these templates 1-16 with the support of the Department of Health and Social Care. NHS Employers, NHS Connecting for Health and the RPSGB also contributed to the development of many of these.
- Template A: Decide who is responsible
- Template B: Action plan
- Template C: Think about and record the personal data you process; and Assure your lawful basis for processing
- Template D: Process according to data protection principles
- Template E: Review and check with your processors
- Template F: Obtain consent if you need to
- Template G: Tell people about your processes: the Privacy Notice
- Template H: Ensure data security
- Template I: Consider personal data breaches
- Template K: Think about data subject rights
- Template L: Ensure privacy by design and default
- Template M: Data protection impact assessment (DPIA)
- Emergency planning/ Business continuity
- NHS Digital data security centre have published NHS Digital security template policies which can be adapted by contractors, relating to various topics. Additional IG resources on instant messaging, videoconferencing and bring your own device are at the NHS Digital IG resources webpage.
- Social media policy (Appendix to DH Social interaction guidance) (PDF)
- Guide to Confidentiality in Health and Social Care (NHS Digital 2013) explains the various rules about the use and sharing of confidential information. It has been designed to be easily accessible and to aid good decision making. It also explains the responsibility organisations have to keep confidential information secure.
- PSNC Briefing: To share or not to share – government response to the Caldicott Review (2013)
This PSNC Briefing summarises Information: To Share or not to Share – Government Response to the Caldicott Review which was published by the Department of Health and Social Care (DHSC) in 2013.
- PSNC Briefing: A summary of the Caldicott Review on information governance (2013)
Dame Fiona Caldicott undertook an independent review of information governance within the NHS in England and her report Information: To Share or Not to Share? was published in April 2013. This PSNC Briefing summarises the key points in the report.
If you have feedback or wish to wish to request further templates that do not yet exist, please email email@example.com.
These templates have been provided as a basis for local adaptation. It is a contractor’s responsibility to ensure their compliance with professional and legal requirements. Where legal advice is required, it should be sought from a Solicitor or Counsel.
Back to IG and cybersecurity